IEEE 802.11i expands IEEE 802.11-1999 by providing a robust security network (RSN) with two new protocols: the four-way handshake and the group key handshake. These use the authentication services described in IEEE 802.1X and the port access command to configure and modify the corresponding cryptographic keys.   The RSN is a security network that only allows the establishment of robust security network links (RSN) which are a kind of assignment used by a pair of stations (STAs) when the authentication or assignment process between them includes four-way handshakes.  802.11i uses an authentication protocol used in 802.1x with some enhanced features like a four-way handshake and a group key handshake with appropriate cryptographic keys. Like the 4-way handshake, the group key handshake makes it easy to make a new GTK available. The authenticator uses this handshake when only the GTK, but not the PTK, needs to be modified. Authentication initiates the handshake of the group key in both directions in the event of a Michael MIC failure, when authenticating or unassigning a station, or at a specified interval. In addition, a station may request a renegotiation of the GTK which the Authentifikator subsequently initiated. The station initiates this request with a special EAPOL key package. The PMK is the trunk of all other paired keys used in 802.11i. There is a unique PMK between each station and the corresponding AP. The PMK is the root of a key hierarchy, as shown in Figure 8-15.
Another key called a paired key (PTK) is used in the authentication process. After successfully authenticating and setting up PMKs (or if PSKs are used), a station must use the 4-way handshake to configure the keys transient with the AP. The 4-way handshake is an exchange of four packets of EAPOL key messages. It ensures that both parties always share a current PMK to exchange nonces for use in the key hierarchy structure and to exchange GTK. Figure 8-17 shows the 4-way handshake. This is where key management can begin. But first, you need to understand the different types of keys in 802.11i. CCMP is based on the Counter with CBC-MAC (CCM) mode of the AES encryption algorithm. CCM combines CTR for confidentiality and CBC-MAC for authentication and integrity. CCM protects the integrity of the MPDU data field and selected parts of the IEEE 802.11 MPDU header. Once the authentication process is complete, the wireless client can connect and register with the access point which can be a router or switch. After assignment, the AP stores all the necessary information about the device to which it is linked so that the data packets can be accurately determined.
AKA, a mechanism that performs authentication and distribution of session keys on Universal Mobile Telecommunications System (UMTS) networks. AKA is a challenge response-based mechanism that uses symmetric cryptography. AKA is typically run in a UMTS IP Multimedia Services (ISIM) identification module that is an application on a universal circuit board. AKA is defined in RFC 3310. The authentication requirement is sent by the client user to the access point containing the Wired Equivalent Privacy (WEP) key for authentication. In response, the Access Point (AP) only sends a success message if the WEP key of the client and the AP is in agreement, otherwise, redirect an error message. The main advantages of AKA over CAVE-based authentication are as follows: AKA provides mutual authentication procedures of the mobile station (MS) and service system as the basis for the 3G authentication mechanism, defined as the successor to CAVE-based authentication. The successful execution of AKA leads to the establishment of a security match (i.e.
a set of security data) between the SS and the service system, allowing the provision of a number of security services. The network system becomes more secure by providing the EAP method for authentication and using mutual authentication both at the end of the client and at the access point with different types of encryption methods….